240200 – (CVE-2007-2754) CVE-2007-2754 freetype integer overflow

Bug 240200 (CVE-2007-2754) - CVE-2007-2754 freetype integer overflow

Summary: CVE-2007-2754 freetype integer overflow

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2007-2754
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	240573 240574 240575 240577 484441 484442 484443 484444 502565
Blocks:
TreeView+	depends on / blocked

Reported:	2007-05-15 18:57 UTC by Josh Bressers
Modified:	2019-09-29 12:20 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2007-12-19 10:37:44 UTC
Embargoed:

Attachments	(Terms of Use)
Proposed upstream patch (892 bytes, patch) 2007-05-15 18:57 UTC, Josh Bressers	no flags	Details \| Diff
proposed backported patch to freetype1 (753 bytes, patch) 2009-04-16 17:21 UTC, Vincent Danen	no flags	Details \| Diff
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2007:0403	normal	SHIPPED_LIVE	Moderate: freetype security update	2008-01-09 15:48:23 UTC
Red Hat Product Errata	RHSA-2009:0329	normal	SHIPPED_LIVE	Important: freetype security update	2009-05-22 12:21:55 UTC
Red Hat Product Errata	RHSA-2009:1062	normal	SHIPPED_LIVE	Important: freetype security update	2009-05-22 12:06:25 UTC

Description Josh Bressers 2007-05-15 18:57:20 UTC

Victor Stinner discovered an integer overflow bug in the way freetype processed
malformed TTF fonts:
http://lists.gnu.org/archive/html/freetype-devel/2007-04/msg00041.html

The patch can be found here:
http://cvs.savannah.nongnu.org/viewvc/freetype2/src/truetype/ttgload.c?root=freetype&r1=1.177&r2=1.178

It appears that this flaw will result in a heap overflow condition:

    flag_limit = flag + n_points;
...
    while ( flag < flag_limit )
    {
...
      *flag++ = c = FT_NEXT_BYTE( p );

Comment 1 Josh Bressers 2007-05-15 18:57:20 UTC

Created attachment 154762 [details]
Proposed upstream patch

Comment 3 Tomas Hoger 2007-12-19 10:37:44 UTC

Problem was fixed in affected Red Hat Enterprise Linux:

  http://rhn.redhat.com/errata/RHSA-2007-0403.html

and Fedora versions.

Comment 5 Vincent Danen 2009-04-16 17:21:25 UTC

Created attachment 339881 [details]
proposed backported patch to freetype1

Comment 6 errata-xmlrpc 2009-05-22 12:06:35 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 2.1

Via RHSA-2009:1062 https://rhn.redhat.com/errata/RHSA-2009-1062.html

Comment 7 errata-xmlrpc 2009-05-22 12:22:25 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4

Via RHSA-2009:0329 https://rhn.redhat.com/errata/RHSA-2009-0329.html

Note You need to log in before you can comment on or make changes to this bug.